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Abstract 

This work develops a measurement-driven and model-based formal verification approach, applicable to systems with partly 
unknown dynamics. We provide a principled method, grounded on reachability analysis and on Bayesian inference, to compute 
the confidence that a physical system driven by external inputs and accessed under noisy measurements, verifies a temporal 
logic property. A case study is discussed, where we investigate the bounded- and unbounded-time safety of a partly unknown 
linear time invariant system. 
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1 Introduction 

The design of complex, high-tech, safety-critical sys¬ 
tems such as autonomous vehicles, intelligent robots, 
and cyber-physical infrastructures, demands guarantees 
on their correct and reliable behaviour. Correct func¬ 
tioning and reliability over models of systems can be at¬ 
tained by the use of formal methods. Within the com¬ 
puter sciences, the formal verification of software and 
hardware has successfully led to industrially relevant and 
impactful applications [13]. Carrying the promise of a 
decrease in design faults and implementation errors and 
of correct-by-design synthesis, the use of formal meth¬ 
ods, such as model checking [13], has become a standard 
in the avionics, automotive, and railway industries [34]. 
Life sciences [6,14] and general engineering applications 
[5,11] have also recently pursued the extension of these 
successful techniques from the computer science: this has 
required a shift from finite-state to physical and cyber¬ 
physical models that are of practical use in nowadays 
science and technology [23,32]. 

The strength of formal techniques, such as model check¬ 
ing, is bound to the fundamental requirement of having 
access to a given model, obtained from the knowledge 
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of the behaviour of the underlying system of interest. In 
practice, for most physical systems the dynamical be¬ 
haviour is known only in part: this holds in particular 
with biological systems [1] or with classes of engineered 
systems where, as a consequence, the use of uncertain 
control models built from data is a common practice [22]. 

Only limited work within the formal methods commu¬ 
nity deals with the verification of models with partly 
unknown dynamics. Classical results [4,19] consider the 
verification problem for non-stochastic models described 
by differential equations and with bounded parametric 
uncertainty. Similarly, but for continuous time proba¬ 
bilistic models, [9,10] explore the parameter space with 
the objective of model verification (respectively statisti¬ 
cal or probabilistic). Whenever full state measurements 
of the system are available. Statistical Model Check¬ 
ing (SMC) [31,24] replaces model(-based) checking pro¬ 
cedures with empirical testing of formalised properties. 
SMC is limited to fully observable stochastic systems 
with little or no non-determinism, and may require the 
gathering a large set of measurements. Extensions to¬ 
wards the inclusion of non-determinism have been stud¬ 
ied in [18,25], with preliminary steps towards Markov de¬ 
cision processes. Related to SMC techniques, but bound 
to finite state models, [12,27,30] assume that the system 
is encompassed by a finite-state Markov chain and effi¬ 
ciently use data to learn the corresponding model and to 
verify it. Similarly, [3,8] employ machine learning tech- 
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niques to infer finite-state Markov models from data over 
specific logical formulae. 

An alternative approach, allowing both partly unknown 
dynamics over uncountable (continuous) variables and 
noisy output measurements, is the usage of a Bayesian 
framework relating the confidence in a formal property 
to the uncertainty of a model built from data. When 
applied on nonlinearly parameterised linear time invari¬ 
ant (LTI) models this approach introduces huge compu¬ 
tational problems, which as proposed in [16], can only 
be mitigated by statistical methods. Instead, to obtain 
reliable and numerical solutions, we propose the use of 
linearly parameterised model sets defined through or¬ 
thonormal basis functions to represent these partially 
unknown systems. This is a broadly used framework in 
system identification [21,22]: it allows for the incorpo¬ 
ration of prior knowledge, while maintaining the bene¬ 
fits (computational aspects) of linear parameterisations. 
Practically, it has been widely used for the modelling of 
physical systems, such as the thermal dynamics of build¬ 
ings [35]. In contrast, in this paper we pursue a promis¬ 
ing new numerical approach: instead of employing di¬ 
rectly a nonlinearly parameterised model, we embed it 
in a linearly parameterised one via a series expansion of 
orthonormal basis functions. 

In this contribution we further analyse and extend the 
related results in [17], obtained for a time-bounded sub¬ 
set of temporal logic properties, to unbounded-time tem¬ 
poral logic properties, and analyse their robustness. 

2 General Framework and Problem Statement 

In this section, we provide a novel methodology to verify 
whether a system S satisfies a specification ifj, formulated 
in a suitable temporal logic, by integrating the partial 
knowledge of the system dynamics with data obtained 
from a measurement set-up around the system. 

Let us further clarify this framework. Let us denote with 
S a physical system, or equivalently the associated dy¬ 
namical behaviour. A signal input u{t) G U, t G N, cap¬ 
tures how the environment acts on the system. Similarly, 
an output signal yo{t) G Y indicates how the system in¬ 
teracts with the environment, or alternatively how the 
system can be measured. Note that the input and output 
signals are assumed to take values over continuous do¬ 
mains. The system dynamics can be described via math¬ 
ematical models, which express the behavioural relation 
between its inputs and outputs. The knowledge of the 
behaviour of the system is often limited or uncertain, 
making it impossible to analyse its behaviour via that 
of a “true” model. In this case, a-priori available knowl¬ 
edge allows to construct a model set Q with elements 
M G : this model class supports the structured uncer¬ 
tainty as a distribution over a parameterisation 0 G 0, 
g = {M(6»)|6» G 0}. The unknown “true” model M(6»0) 


representing S, is assumed to be an element of g, namely 
G 0: as an example, model sets g obtained through 
first principles adhere to this classical assumption. 

Samples can be drawn from the underlying physical sys¬ 
tem via a measurement set-up, as depicted in Figure 1. 
An experiment consists of a finite number {N^) of input- 
output samples drawn from the system, and is denoted 
by = {u{t)ex,y{t)ex}^=i, where u{t)ex G U is the 
input for the experiment and y{t)ex is a (possibly noisy) 
measurement of yo(t)ex- In general, the measurement 
noise can enter non-additively and be a realisation of a 
stationary stochastic processQ We assume that at the 
beginning of the measurement procedure (say at t = 0), 
the initial condition of the system, encompassed by the 
initial state x(0)ex of models in M, is either known, or, 
when not known, has a structured uncertainty distri¬ 
bution based on the knowledge of past inputs and/or 
outputs. As reasonable, we implicitly consider only well- 
dehned problems, such that for any model representing 
the system, given a signal input u{t)ex and an (uncer¬ 
tainty distribution for) x(O)ex) the probability density 
distribution of the measured signal can be fully charac¬ 
terised. 
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Fig. 1. System and measurement setup. In the measurement 
setup (grey box) the measured output y{t)sx includes the 
system output yo{t)ex and the measurement noise e{t). Data 
collected from experiments comprises the input u{t)ex and 
the measured output y{t)ex signals. 

The end objective is to analyse the behaviour of system 
S. We consider properties encoded as specifications 
and expressed in a temporal logic of choice (to be de¬ 
tailed shortly). Let us remark that the behaviour of S to 
be analysed is bound to a set of operating conditions that 
are pertinent to the verification problem and that will 
be indexed with ver\ this comprises the set of possible 
input signals u{t)yer (e.g., a white or coloured noise sig¬ 
nal, or a non-deterministic signal u{t)ver G U„er C U), 
and of the set of initial states x(0)i,er G ^ver for the 
mathematical models M reflecting past inputs and/or 
outputs of the system. The system satisfies a property 
if the “true” model representing it satisfies it, namely 
S 1= -0 if and only if M(0°) 1= ip. 


^ Both the operating conditions of the experiment, that 
is the input signal u{t)ex and the initial state x(0)ea:, and 
the measurements have been indexed with ex to distinguish 
them from the operating conditions of interest for verifica¬ 
tion, to be discussed shortly. 
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In this work we consider the satisfaction of a property 
M(0) \= Ip as a binary-valued mapping from the param¬ 
eter space 0. More generally, when in addition to the 
measurements of the system also its transitions are dis¬ 
turbed by stochastic noise, then property satisfaction is 
a mapping from the parameter space 0 to the interval 
[0,1], and quantifies the probability that the model M(0) 
satisfies the property. This mapping generalises the def¬ 
inition of the satisfaction function introduced in [9], and 
is now stated as follows. 

Definition 1 (Satisfaction Function) Let G be a set 

of models M that is indexed by a parameter 0 € Q, 
and let ip be a formula in a suitable temporal logic. The 
satisfaction function /^ : 0 —>■ [0,1] associated with ip 

IS 

U{0) = p{M{e)^pj). ( 1 ) 

Let us assume that the satisfaction function is mea¬ 
surable and entails a decidable verification problem (e.g., 
a model checking procedure) for all 0 G 0. 

Problem 1 For a partly unknown physical system S, 
under prior knowledge on the system given as a pa- 
rameterised model class G supporting an uncertainty 
distribution over the parameterisation, gather possi¬ 
bly noisy data drawn from the measurement setup and 
verify properties on S expressed in a temporal logic of 
choice, with a formal quantification of the confidence of 
the assertion. 


2.1 A Bayesian Framework for Data-driven Modelling 
and Verification 


Consider Problem 1. Denote loosely with P (•) and p (•) 
respectively a probability measure and a probability 
density function, both defined over a continuous do¬ 
main. We employ Bayesian probability calculus [26] to 
express the confidence in a property as a measure of the 
uncertainty distribution defined the set G. By adopting 
the Bayesian framework, uncertainty distributions are 
handled as probability distributions of random vari¬ 
ables. Therefore the confidence in a property is com¬ 
puted as a probability measure P (•) via the densities 
p (•) over the uncertain variables. 


Proposition 1 (Bayesian Confidence) Given a 
specification ip and a data set Z^‘, the confidence that 
S \= Ip can be quantified via inference as 

P (S N V' I Z^‘) = 4 U{0)p {0\Z^‘) d0 . (2) 


where f.,1, is the satisfaction function given in (1). The 
a-posteriori uncertainty distribution p[0\Z^‘), given 
the data set Z^^, is based on parametric inference over 
0 as 


p{0\Z^^) 


p{z’^'>\e)pi9) 
J^p{zn.\0)p(0)d0 ’ 


( 3 ) 


which presumes an uncertainty distribution p (0) over 
the parameter set 0, representing the prior knowledge. 

The statement can be formally derived based on stan¬ 
dard Bayesian calculus, as in [26]. We have chosen to 
employ a Bayesian framework, as per (3), since it allows 
to reason explicitly over the uncertain knowledge on the 
system and to work with the data acquired from the mea¬ 
surement setup. This leads to the efficient incorporation 
of the available knowledge and to its combination with 
the data acquisition procedure, in order to compute the 
confidence on the validity of a given specification over 
the underlying system. As a special instance, this result 
can be employed for Bayesian hypothesis testing [36]. 
As long as the mapping is measurable, the models 
in the model set (and hence the system represented by 
it) can be characterised by either probabilistic or non- 
probabilistic dynamics. 

Remark 2 In statistical model checking [24,31], the 
objective is to replace the computationally tolling ver¬ 
ification of a system over bounded-time properties by 
the empirical (statistical) testing of the relevant speci¬ 
fications over finite executions drawn from the system. 
In contrast, our problem statement tackles the problem 
of efficiently incorporating data with prior knowledge, 
for the formal (deductive) verification of the behaviour 
of a system with partly unknown dynamics - as such 
our overall verification approach is, as claimed, both 
data-driven and model-based. Moreover, by separating 
the operational conditions in an experiment from those 
of importance for the verification procedure, the system 
can be verified over non-deterministic inputs, encom¬ 
passing as such both controller and disturbance inputs, 
or modelling errors. 

2.2 Computational Approaches 

The Bayesian approach is widely applicable to different 
types of properties and models, however its computa¬ 
tional complexity might in practice limit its implemen¬ 
tation. In the literature the satisfaction function is re¬ 
lated to the exploration of a parameter set over the valid¬ 
ity of a formal property /^(0), and has been studied for 
autonomous models in continuous time in [4,15,19]. An¬ 
alytical solutions to the parametric inference equation 
(3) can be found if the prior is a conjugate distribution. 
For linear dynamical systems, closed-form solutions are 
given inter alia in [28]. In general (2)-(3) in Proposition 1 
lack analytical solutions, and the assessment of the sat¬ 
isfaction function (1) may be computationally intensive. 
Statistical methods such as the one proposed in [16] on 
a similar Bayesian approach lead to involved computa¬ 
tions and introduce additional uncertainty from Monte 
Carlo techniques. 

On the contrary, in the next section, we propose a novel 
computational approach over discrete-time linear time- 
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invariant systems. By exploiting linear parameterisa- 
tions analytical solutions of both the parametric infer¬ 
ence and the satisfaction function are characterised for 
properties expressed within a fragment of a temporal 
logic. 

3 LTL Verification of LTI systems 

Consider a system S that can be represented by a class 
of finite-dimensional dynamical models that evolve in 
discrete-time, and are linear, time-invariant (LTI), and 
not probabilistic. These models depend on input and 
output signals ranging over R™ and respectively, 
and on variables xs(t) taking values in an Euclidean 
space, xs(t) G X C R”, where n, the state dimension, 
is the model order. The behaviour of such a system is 
encompassed by state-space models {As, Bs,Cs, Ds) as 

xs(t + 1) = ^sxs(t) + Bsu{t), 
yoit) = Csxs(t) -b Dsu{t), 

where matrices As, Bs,Cs, Ds are of appropriate di¬ 
mensions. Let us remark that LTI systems represent 
the most common modelling framework in control the¬ 
ory, a key framework leading towards generalisations 
to more complicated (e.g., nonlinear) dynamical mod¬ 
els. The experimental measurement setup, as depicted 
in Figure I, consists of the signals u{t)ex and y{t)ex = 
yo{t)ex + e(t), representing the inputs and the measured 
outputs, respectively, and where e{t) is an additive zero- 
mean, white, Gaussian-distributed measurement noise 
with covariance Eg that is uncorrelated from the in¬ 
puts. Ns samples are collected within a data set = 

{u{t)ex, y{t)ex}t=l- 

System properties are expressed, over a finite set of 
atomic propositions pi G AP, i = 1, ..., \AP\, in Linear¬ 
time Temporal Logic [2]. LTL formulae are built recur¬ 
sively via the syntax ip ::= true | p \ -<ip \ ip /\ip \ ipy ip \ 
Qip \ Ip [J Ip. Let TT = 7r(0), 7r(l), 7r(2),... G be a 
string composed of letters from the alphabet E = 2^^, 
and let tt* = 7r(t), Tr{t -b 1), Tr{t -b 2),... be a subsequence 
of TT, then the satisfaction relation between tt and ip is 
denoted a.s tt \= ip (or equivalently tto \= ip). The seman- 


tics for the satisfaction are 
and the LTL syntax as 

defined recursively over TTt 

(true) TTt 1= true 

<t^true 

(atomic prop.) TTt N p 

P G TT{t) 

(negation) TTt 1= —<1p 

^ TTt ^ Ip 

(conjunction) TTt \= 1pi A 1 p 2 

■^TTt\=ipi and TTt L ip2 

(disjunction) TTt 1= Al V 1 p 2 

TTt \= 1pl or TTt 1= 1p2 

(next) TTt 1= OV' 

TTt+l N Ip 

(until) TTt N 1pi U 1 p 2 

G N : TTt+i N ip2. 


and Vj G N : 

0 < j < i,TTt+j 1= ipi 


Denote the fc-bounded and unbounded invariance oper¬ 
ator as O^ip = Ato OV and Oip = -i(true U -'ip), re¬ 
spectively. 

Of interest are formal properties encoded on the input- 
output behaviour of the system, and over a time horizon 
t > 0. The output yo{t)ver G Y is labeled by a map 
L : Y —>■ E, which assigns letters a in the alphabet E via 
half spaces on the output, as 

L{yo{t)ver) = Q; G E Apjga ^Piyo(l)i’er ^ bp., (5) 

for given Ap. G bp^ G R that is, sets of atomic 

propositions are associated to polyhedra over Y C R^. 
Let us underline that properties are defined over the be¬ 
haviour yo{t)ver of the system, and not over the noisy 
measurements y{t)ex of the system in the measurement 
setup. Additionally, for the verification problem the in¬ 
put signal is modelled as a bounded signal u{t) G Vyer, 
and represents possible external non-determinism of the 
environment acting on the system. 

3.1 Model Set Selection 

As a first step we need to embed the a-priori available 
knowledge on the underlying system within a parame- 
terised model set, under a prior distribution. The use 
of linearly parameterised model sets defined through 
orthonormal basis functions to represent partially un¬ 
known systems is a broadly used framework in system 
identification: it allows for the incorporation of prior 
knowledge, while maintaining the benefits (computa¬ 
tional aspects) of linear parameterisations. Practically, 
it has been widely used for the modelling of physical sys¬ 
tems, such as the thermal dynamics of buildings [35,29]. 
Note that although the goal of parameter exploration in 
formal verification has recently attracted quite some at¬ 
tention [4,15,19], there are as of yet no general scalable 
results for the computation of the satisfaction func¬ 
tion for nonlinearly-parameterised discrete-time LTI 
models. Whilst in general linear time-invariant models 
with uncertain parameters do not map onto a linearly- 
parameterised model set, we argue that a linearly- 
parameterised model set can encompass a relevant class 
of models. For instance, any asymptotically stable LTI 
model can be represented uniquely by its (infinite) 
impulse response [20], and the coefficients of the im¬ 
pulse response define a linear parameterisation for this 
model. Further, the coefficients of the impulse response 
converge to zero, so that a truncated set of impulse coef¬ 
ficients can provide a good approximate model set with 
a finite-dimensional, linear parameterisation. This is 
only one possible instance of modelling by a finite set of 
orthonormal basis functions [21, Chapters 4 and 7],[33], 
which can be selected to optimally incorporate prior 
knowledge: we conclude that, as an alternative to the use 
of a nonlinearly parameterised set of models, structural 
information (even when inexact) can be used to select a 
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set of orthonormal basis functions, whose finite trunca¬ 
tion defines a finite-dimensional linearly-parameterised 
model set indexed over the coefficients of the basis 
functions. Thus, in the following we consider a linearly 
parameterised model set G that encapsulates system S, 
and specifically G = {{A, B, C{9), D(9)),9 G 0}. 

A system, or equivalently the mathematical model that 
represents it, satisfies a property if all the words gener¬ 
ated by the model satisfy that property. Since properties 
are encoded over the external (input-output) behaviour 
of the system S, which is the behaviour of M(0°), 0° G 0, 
we can equivalently assert that any property ip is ver¬ 
ified by the system, S \= pj, ii and only if it is verified 
by the unknown model representing the system, namely 
M(6»0) N Introduce 0^ to be the feasible set of pa¬ 
rameters, such that for every parameter in that set the 
property ip holds, i.e., ^9 G 0^ : M(6*) 1= ip. As such 0^ 
is characterised as the level set of the satisfaction func¬ 
tion /^, 0^ = {6» G 0 : f^{9) = 1}. 

3.2 Safety Verification of Bounded-time Properties 

Models M in the class G have the following representa¬ 
tion (A, B,C{9), 0): 


1 

= — , exp 

v'|Ser«(27r)PM [ 

- - yit)ex f^7^iyit,9) - y{t)ex) 

^ t=i 

and can be directly used in Proposition 1. This con¬ 
ditional density depends implicitly on the 

given initial state x(0)ea; and, for the case of a given 
uncertainty distribution for x(0)ea:, P |6l) should be 
marginalised as a latent variable [28]. The a-posteriori 
uncertainty distribution is obtained as the analytical 
solution of the parametric inference in (3) [28]. 

Recall now that for a given specification ip, we seek to 
determine a feasible set of parameters 0^, such that 
the corresponding models admit property ip, namely 
M(6*) \= Ip, \/9 G 0^. Since models M(0) have a linearly- 
parameterised state space realisation as per (6), it fol¬ 
lows that when the set of initial states and inputs X„er 
and Vver are bounded polyhedra, the verification of a 
class of safety properties expressed by formulae with la¬ 
bels as in (5) leads to a set of feasible parameters 0^ that 
is a polyhedron, which can be easily computed. More 
precisely, the following theorem can be derived. 


M(6l) : 


x(t -I- 1) = Ax{t) Bu{t), 
y{t,9) =C{9)x{t), 


( 6 ) 


and are parameterised by 0 G 0 C :9 = vec(C') with 
a prior probability distribution p {9). In addition to this 
strictly proper model class we will also allow for proper 
model {A, B, C(9), D{9)) where both the C and the D- 
matrices are parameterised and the parameterisation is 
9 = vec([C' D])). For a given initial condition x(0) and 
input sequence, the output of the “true” model y{t, 9°) 
is equal to the system output yo{t). 

Given a measurement set-up as in Figure I with un¬ 
known parameter 9^. Then u{t)ex and y(t)ex repre¬ 
sent the input and the measured output, respectively, 
and e(t) is an additive zero-mean, white, Gaussian- 
distributed measurement noise with covariance Eg that 
is uncorrelated from the input. Furthermore u{t) is 
assumed to be uncorrelated with the noise eft). From 
this set-up Ns samples are collected in a data set 
= {ult)ex,yft)ex}^A.^- 

Therefore given the operating conditions of the experi¬ 
ment set-up the measured signal yft)ex can be fully char¬ 
acterised: its probability density, conditional on the pa¬ 
rameters 9, is 


p(Z^‘\9) = J\p{yit)ex\9) 

t=i 


Theorem 3 ([17]) Given a bounded polyhedral set (or 
equivalently a polytope) of initial states x(0) G X„er 
and of inputs uff) G Vver for t > 0, and consider¬ 
ing a labelling map as in (5), then the feasible set 0^ 
of the parameterised model set (6) results in a polyhe¬ 
dron for properties ip composed of the LTL fragment 
Ip ::= a\Q)ip\ipi A ip 2 , with a G S. 

Proof [of Theorem 3] Let 0 denote the Kronecker prod¬ 
uct. Consider the input set U„er to be the convex hull 
of U, i.e. conv([/) = Vver- Similarly let the set of initial 
states be conv(A„er) = X„er- Let the model set be given 
as M(6*) = {A, B, C{9), D). We will temporarily assume 
that D is set equal to zero. Afterwards we will show how 
to work with a parameterised D. Note that the syntax 
fragment ip ::= alOV'IV'i V ’2 with a G E = 2^^ is 
equivalent to ip ::= plOV'IV'i '02 with p G AP. 


1. We claim that for every specification ip composed 
from the syntax fragment V' ”= p|O'0l'0if\02 and0 G 0, 
the words generated by a model M(6*) = {A, B,C{9), 0) 
with state x(t) satisfy the specification ip, denoted < 
M(6*),x(t) >1= Ip, if and only if 

G x{t)fN^ + K,p^9< B^. (7) 

The matrices G G G 

in the above satisfaction relation have dimensions that 
are functions of the parametrisation and of the property 
dependent “dimension” and are obtained inductively 
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over the syntax of the specification. 

For any atomic propositions the model starting from 
state x(t) satisfies a property pi, i.e., < M(0),x(t) >1= 
Pi Ap^y < bp^, with Ap^ G and bp^ G R we con¬ 

struct the matrices Np^, Kp^ and Bp^ as follows. Con¬ 
sider y{t) for a given x{t) then 

Ap,y{t) = Ap,C{9)x{t) = x(f)^(/„ 0 Ap,)e. 


The and operation ipi A 1/^2 for K^^,Djj,^,b^^) and 

(iV.^ 2 , with n^iAV >2 = + '^i’ 2 ) gives 


N, 




N-ipi 

,^1p2 


K, 


V>iA'i/'2 


-^V'l 

Kip^ 


-SV’iAV’2 — 




This can be derived from 


This yields Np^ = (/„ ® Ap^) G Kp^ = Oixnp £ 

and Bp, = bp, G R^^C 

The next operation OV’i with matrices {N,p, , 

Dip,,b^,) yields matrices 

^0'>Pi ~ ^|G| ® C> aI ) 

BQiPi — ^ B'^ ^'ipi T ^|G| ^ Bi'tpij 

BQ-tpi — 1|G| B,p,, 

where the z-th set of n^p, rows of W G RI*^I"’^i is de¬ 
fined as 

{In^, 0 uf) with Ui€U 

and where = \U\np,-,. This can be derived as 

< M(6*),x(t) >1= Qtp <tt> Vzz(t) G U„er : 

O x(t -h 1))^ Np,, -h 9 < Bp,,, 
Vzz(t) G U„er : 

Ax.(t)^ Np,, 

+ {^n,p, C> Bu{t)^ + Bip,-^ 9 < Bp,,. 

Since the above is an affine function in u{t), the image 
of every u{t) G conv({7) = Vver can be expressed as a 
convex combination of the values at the vertices u, G U, 
c.f. [6]. Then an equivalent expression is 



2. The matrix-valued function 

is affine in x^(0) (for a fixed 9), therefore its value at the 
initial condition x(0) G X„er is a convex combination of 
the function values at the vertices Xy^r of X„er- Thus the 
satisfaction relation < M(0),x(O) >1= ip represented by 
the multi-affine inequality holds uniformly over x(0) G 
X„er if and only if it holds for the vertices of X„er ■ 

This gives a set of affine inequalities in 9, thus the feasible 
set Qp, is a polyhedron and is given as 

0G0: Np, + Kp,'^9<Bp,y 

^^ver J 

The set Qp, is a polyhedron, since it is formed by a finite 
set of half spaces. 


4^\/ui € U : (^ {ln,p, 0 A:x.{t))'^ Np,, 

+ {ln,p, Mi) {ln,p, B^ Bp,, + Kp,,'j9 < Bp,, 
which can be rewritten as 


3. To prove Theorem 3 we need to extend the results to 
models with parameterised D. The dynamics of model 
{A, B, C, D) with both C and D fully parameterised can 
be reformulated as 


(^1|£/| (g) {In,„, ^ Ax{t))'^ Np,, +U ^B)’^ Np,, 

x(t -I- 1) 


r.4Bi 

x(t) 

1 

'o' 

+ 1|j/| (g> Kp,,'\9 < 1|[/| (g) Bp,,. 

u{t + 1) 


-1 

0 

0 

_ 1 

u{t)_ 


I 


Having obtained Kqp,, Dqp,, and bQp,, now rewrite the 
first term to obtain Nqp, : 

1|G| O {In,p, O X^(t)) {In,„, O Np,, 

= (/|[/|1|[/|) O (g)X^(t)) ®A^)Np„ 

= {l\U\n,i,, (l|[;| (g) (J„^^ (g)H^) Np,,) . 


y{i) = 


C D 


x(t). 


Using the new matrices {A, B, C{9), 0) the obtained re¬ 
sults still hold. For part 2. set of vertices Xyer needs to 
be extended with the vertices of U as Xyer x [/. □ 

In the computation of the feasible set, the faces of the 
polyhedron Qp, are shown to be a function of the ver- 
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tice£3 of the bounded set of initial states X^er and of 
the set of inputs Uyer, and are also expected to grow in 
number as a function of the time horizon of the property. 
The result in Theorem 3 is valid for any finite composi¬ 
tion of the LTL fragment ip ::= a\Q)ip\ipi A ip 2 , as such 
it only holds for finite horizon properties. Properties de¬ 
fined over the infinite horizon will be the objective of 
Section 3.4. 

S.3 Case Study: Bounded-Time Safety Verification 


Table 1 

Mean (p) and variance (a^) of the confidence obtained from 
100 experiments with 200 measurements each. 


0 ° y 

0 ® y 


-1 -1 

-1 0 

-1 1 

^ 0.348 0.073 

^ 0.705 0.060 

^ 0.492 0.086 


1 -1 

1 0 

1 1 

^ 0.491 0.085 

^ 0.730 0.056 

^ 0.339 0.065 


Consider a system S and verify whether the output 
yoit)ver remains within the interval I = —0.5, 0.5 , 

labeled as t, for the next 5 time steps, under u(t)yer G 
= [—0.2, 0.2] and x(0)„er S {O 2 } = "^ver- In¬ 
troduce accordingly the alphabet E = {t, r} and the 
labelling map L : L{y) = i.Vy € I, L(y) = t,V?/ S Y\I. 
Now check whether the following LTL property holds: 
S N Afci(O)*''- We assume that system S can be rep¬ 
resented as an element of a model set Q with transfer 
functions characterised by second-order Laguerre-basis 
ones [20] (a special case of orthonormal basis func¬ 
tions), which translates to the following parameterised 
state-space representation: 


represents the confidence in the safety of the system, as 
displayed in Table 1 via mean and variance terms. 



0i 


Fig. 2: Feasible set 
of parameters in 0, 
and contour lines 
of the quantity 
p (0 j ) I obtained 
for 00 = [1 0]"^. 


x(t -h 1)= 


a 0 

1 — a 


x(t) -h 


\/l — 

(—a)\/l — 


u{t), 


y{t,e) =0^x(t). 


( 8 ) 


The parameter set is chosen as 0 G 0 = [—10,10]^, 
whereas the coefficient a is chosen to be equal to 0.4. 
We select, as prior available knowledge on the system, a 
uniform distribution p (0) on the model class, and pick a 
known variance Ug = 0.5 for the white additive noise on 
the measurement. The set of feasible parameters 0^ C 0 
is represented in Figure 2 and is computed according to 
Theorem 3. Based on the prior available knowledge, the 
confidence associated to 0o G 0^ amounts to 0.0160 
In comparison to this value, after doing an experiment 
on the system with “true parameter” 0o = [1 0]^ (Fig¬ 
ure 2) and with input signal u(t)ex, a realisation of a 
white noise with a uniform distribution over [—0.2, 0.2], 
and measuring yit)ex for 200 consecutive time instances 
the uncertainty distribution is refined as p The 

resulting confidence (2) in the property is increased to 
0.779. 

Along this line of experiments, we have repeated the test 
100 times, for several instances of the parameter 0° char¬ 
acterising the underlying system S. In all instances, after 
obtaining 200 measurements the a-posteriori confidence 


^ A polytope can be written as the convex hull of a finite 
set of vertices. 

^ This is obtained by numerical computation of (2) with 
probability distribution p (0). ntegrals are solved via the nu¬ 
merical integration tool in Matlab. 


3.4 Verifying Unbounded-Time Properties Using In¬ 
variant Sets 

In this section we extend the approach unfolded in Sec¬ 
tion 3.2, to hold on the LTL fragment ip ::= ajOV'IV'i ^ 
ip 2 with additionally the unbounded invariance (safety) 
operator. Recall the form of the A:-bounded and of the un¬ 
bounded invariance operators, namely □^'0 = AiLo 0*A 
and Oip = -i(true U ->ip) respectively. The extension 
from a fc-bounded operator, covered by the result in The¬ 
orem 3, to the unbounded invariance one, is based on 
the concept of robust positive invariance [7, Def. 4.3], 
recalled next. 

Definition 2 For the system x(f-|-l) = Ax(t) -\-Bu(t), 
the set S is said to be robustly positively invariant 
if, for all x(0) G S and u(t) G U, the condition x(t) G S 
holds for all t > 0. 

Recall that the feasible set 0^ is defined as the set of pa¬ 
rameters for which property ip holds, namely V0 G 0^ : 
M(0) 1= Ip. The satisfaction relation M(0) 1= ip depends 
implicitly on the set of initial states x(0) G X„er and 
on the set of inputs Vyer. Let us extend the definition 
of the feasible set to explicitly account for its depen¬ 
dence on the set of initial conditions: given a bounded 
and convex set 5 C X, let 0^(5) be defined as the set 
of parameters in 0 for which the parameterised models 
M(0) initialised with x(0) G S satisfy ip over input sig¬ 
nals u{t) G Vyer t > 0. Hence the feasible set 0.,/, can 
be written as a function of the set of initial states 'Kyer, 
that is 0y, (Kyer). Thus the extended map 0y, (•) takes 
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subsets of the state space into subsets of the parameter 
space. Note that if 5 is a robustly positively invariant 
set that includes the set of initial states liver C S, then 
for all 9 G 0^(5) the models M(0) satisfy ip over all 
infinite-time model traces x(t) : this allows to state that 
M(0) N We can show that the following holds. 

Lemma 4 The function 0^(-) : 2^ —>• 2®, for specifi¬ 
cations obtained as if ::= a | 0if | ifi A if 2 , is mono- 
tonically decreasing: that is if Si C 52, then 0 ^( 62 ) Q 
Qil>{Si). 

Proof We leverage the notation used in the proof of 
Theorem 1. Provided that the parameterised model is 
given as {A, B,C{9),0), we show that any 9 G Q,p{S 2 ) is 
also an element of 0 G 0,/,(5i). Suppose ^2 has a finite 
number of vertices G V (52), then for any 9 G 0,/,(52): 

Axiev(S2) ® “b -^ 1 /’) ^ 

and for every x G 52 

((/„^ (g) K^) 9 < Bjp. 

Since the vertices xj G V (5i) are also elements of 52, 
then 

Axjev(Si) ® 9 < B^ 

and 9 G 0,/,(5i). This reasoning can be trivially ex¬ 
tended to include parameterised D matrices. Increasing 
the number of vertices of 5i and 52, does not change 
the result, hence the same holds if 5i and 52 are convex 
sets. □ 

Based on the result in Lemma 4, we conclude that the 
maximal feasible set Qop; is obtained as a mapping from 
the minimal robustly positively invariant set 5 that in¬ 
cludes Xt,er: 0DV> = 0j/>(‘5). This leads next to consider 
under which conditions such minimal robustly positively 
invariant set 5 can be exactly computed or approxi¬ 
mated. 

Feasible set for invariance properties with Uver = {On} 

For Uver = {On}, assuming a bounded interval Vyer with 
the origin in its interior, and under some basic assump¬ 
tions on the dynamics (to be shortly discussed), the min¬ 
imal robustly positively invariant set can be shown to be 
a bounded and convex set that includes the origin [7]. 
Maintaining the condition of \Jver being bounded and 
having the origin in its interior, we first consider the case 
that 'Kver = {On} and characterise 5 via tools available 
from set theory in systems and control; thereafter we 
look at extensions to more general sets of initial states 

^ver • 


Assume that Vyer includes the origin, and denote the 
forward reachability mappings initialised with := 
{0„} C X as 

770 ) := Post( 7 ^ 0 -l)), ( 9 ) 

with set operation Post(A) := {x' = Ax -|- Bu,x G 
X,u G U}. Denote the limit reachable set as 77°° = 
limi_,.oo 77 O). From literature we recall that properties of 
these f-step reachable sets, as given in [7] include the fol¬ 
lowing: for a reachable pair (A, B) and an asymptotically 
stable matrix A, the 00 -reachable set 77°° is bounded 
and convex [7, Proposition 6.9]. The fc-step reachable 
set converges to the 00 -reachable set via (9), since it is 
monotonically increasing 770) c 770+i). Moreover, 77°° 
is the minimal robustly positively invariant set for the 
system, so that any positively invariant set includes 77°° 
[7, Proposition 6.13]. Thus, starting from x(0) = 0„, all 
x{t) G 77°°, and furthermore of interest to this work we 
conclude that &a'‘Tp= and 0D,/, = 0,/,(77°°). 

Feasible set for invariance properties under polytopic 
sets of initial states 

More generally, if X„er- C 77°° and ceteris paribus, then 
77°° is the minimal robustly positively invariant set that 
includes X„er-, and 0,/,(77°°) = Qn^p- For finite itera¬ 
tions the reachable sets 770 ) are polytopes, and if 770 ) = 
77 O+ 1 ), then 77 O) = 77°°. Though the iterations can stop 
in finite time, in general the number of iterations to ob¬ 
tain 77°° can be infinite. Whilst the minimal robustly 
positively invariant set is not necessarily closed or a poly¬ 
tope, there exist methods to approximate 77°° as detailed 
in [7]. For instance, for stable systems, 77^*) is shown to 
converge to 77°°, in the sense that for all e > 0 there ex¬ 
ists k such that for fc > fc, 77)^)c 77°°C (1 -|- e)77)^) [7, 
Proposition 6.9]. 

Recall that the maximal feasible set Qnip is obtained 
as a mapping from the minimal robustly positively in¬ 
variant set 5 including X„er, that is Qoip = 0^(5). 
Let us extend the study to the case where the condi¬ 
tions Xyer = {0„} or its extension Xyer C 77°° do not 
apply, while the condition on the bounded set Vyer is 
maintained, that is 0 G Vyer- Consider the more gen¬ 
eral case where the set of initial states is a polytope 
but not necessarily a subset of 77°°. Denote the union 
of the forward reachability mappings initialised with 
77^°^ := Hyer C X as 

77 ^*)^^ := 77 ^*-^) u Post( 7747 j^) . ( 10 ) 

This set is also known in the literature as the reach tube. 
The corresponding set for infinite time is denoted as 
772° = limi^oo 77x ^ . Notice that if Hyer Q TZ°° , then 

77°° = 77“ . The iteration is monotonically increasing 

whenever 77^*^^^ = stops 



after a finite number of iterations with TZ^ = . 

Of course, also in this more general case, the number of 
iterations can be unbounded, however the convergence 
properties of 7^^*^ extend seamlessly to the case of sets 
TZ^^ . Since TZ^^ is a union of polytopes, it is not guar¬ 
anteed to be a convex set. Still, it can be shown via the 
proof of Theorem 3 that the computation of the feasible 
set 0^(5) boils down to that of 6^(conv(5)). 


i/ee > 


e^ep max^dlu^ll)^ 
l-|-e2,epmaxi(||vi||)’ 


for ep 


max 

pGAP 


PpI |2 

\bp\ 


Proof 1. <d^p{TZ -b ExB) C Qjp{TZ) 

Based on the definition of this set (c.f. the proof of The¬ 
orem 3), the set operation 0^(-) is monotonically de¬ 
creasing. Therefore 0^(7^ + exB) C Q^{TZ) holds. 


Remark 5 Let us illustrate the convergence property 
for sets 'TZx\r- follows. For every vertex x®(0) G "^ver, 
select a decomposition x® + x® with x® G TZ°°, which 
minimises ||x®|| for a chosen vector norm || • ||. Since 
every element x(0) G ILyer is a convex combination of 
the vertices x®(0), it follows that for all x(0) G Xt,er- 

x(0) = ^ aiX®(0) = ^ aiX^(O) -f ^ a^x® (0) 

i i i 

G conv(x^(0)) -b conv(x® (0)) C TZ°° + X„er, 

with Oi = 1 foroi > 0 and where %ver = conv(x® ( 0 )). 
We obtain that X^er C TZ°° -bXt,er, and that the min¬ 
imal positively invariant set can be bounded by 

TZ°° -b limfc_>oo U^=o Under condition of asymp¬ 

totic stability on A, necessary for TZ°° to be a bounded 
and convex polytope, A®X^ej. will converge to { 0 „}. 

Thus, the iteration monotonically increasing 

and bounded, hence it converges. If X^er includes the 
origin in its interior then there exists a finite iteration 
such that A^%xer = A^%xer ■ Morcovcr, for 
any reachable pair {A, B) and asymptotically stable A, 
the closure of the minimal robustly positively invariant 
set 7^S° includes the origin. 

Robust approximations of the feasible set via 0j/j(-) 

In order to exploit convergence in the computation of the 
feasible set for invariance properties, we need to bound 
the error incurred with the use of approximations of the 
sets 7^S° or 7^°°. Let B denote a unit ball centred at 

^ver 

the origin and let the Hausdorff distance between sets 
TZi and 7^2 be defined as 

Sh{TZi,TZ 2 ) = inf{e > 0|7^l C 7^2 + eB, 7^2 C 7^l -b eB}. 


We can show that the following holds. 

Lemma 6 Consider a polytope TZ, and a property ip 
comprised of ip ::= a\Q)ip\ipiAip 2 , with a G E, for which 
0^(7^) is a non-empty polytope with vertices Vi and the 
origin in its interior. Let A be bounded as ||bl ||2 < 1. 
Then for any Cx > 0, 

0^(7^ + CxB) C 0^(7^) C 0^(7^ + exB) + egB (11) 


2 . Q.ip(TZ) C Q.,j,{piZ -b CxB) -b cqB 

Consider the case where the model is {A, B,C{9),0). To 
prove ( 11 ), we first find a eg as a function of Cx such that 

Q^{TZ) CQ^{TZ + exB) + eeB. (12) 

Let Vi be the vertices of the polytope Ui G V (0^(7?.)), 
then (12) holds if and only if Vi G 0^(7?. -b CxB) -b egB. 
Equivalently, this means that there exists a rg G egB 
such that Vi — rg € Q^{TZ -b CxB). This is equivalent to 
demanding that for every xJ G V {TZ), Ui G V (0^(7?.)) 
and Vx G CxB, there exists a vector rg G egB: 

((/„^ (g) (xj -b rJ))7V^ -b K,/,) {vi - rg) < B^p 

^ {{In,p'S)xJ)Np,-\-Kp,) {vi - rg) 

+ {{In,p ® rx)Np,) {vi - rg) < Bp,. 

Take {vi — rg) = (1 — ai)vi with ai G [0,1), then 

{{In„, O xJ)Np, -b Kpf) (1 - ai)v, 

+ {{In,p ® rx)Np,) (1 - a,)v, < Bp, 

^ (1 - ai){In,j, O rl)Np,v, < a,Bp,. (13) 

Separate the matrix Np, and Bp, into its block matrices 
= [^b]{i-e(i-i)n:ni}x{i:n} and B^ = such that 

inequality (13) is equivalent to the set of inequalities 

(1 - a*)rj7V^u' < , for j = l,...,np, (14) 

(1 J 

Given that 0 G it follows that bj > 0 for j = 

1 , . . . , Tlgp 


The term on the left can be upper bounded based on the 
Cauchy-Schwarz inequality 
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The last inequality follows from the introduction of the 
precision of the labelling, denoted as Cp, and defined as 


ep = 


max 

PGAP 


PpI|2 

\bp\ 


(16) 


Remember that \\L 0 K \\2 = ||L|| 2 ||R 1 || 2 - Then based on 
Theorem 3 and on the condition ||R ||2 < 1, it can be 
shown that 


max||(7V;)^||2|5^|-i 


< max 

PGAP 


PpI|2 

\bp\ 


0„ in its interior. The generalisation to the case dealing 
with an Hausdorff distance of the feasible set for invari¬ 
ance properties with a set of inputs 0 ^ U^er- is outside 
of the scope of this work. 

Convergence properties 

We can employ Lemma 6 to bound the Hausdorff dis¬ 
tance between and ©q^. If Xt,er = {On} and 

the spectral radius of A is strictly less than 1 (that is 
p{A) < 1), then the Hausdorff distance can be bounded 
as 


Note that ) monotonically increases with for 
ai € [0,1). Therefore a bound on Oj can be found as 

a* = {cxCpWviW)/{I + ea:ep||ui||) for j = 1,... ,n^. (17) 

It follows that (12) holds if 


< e(k) := ||H '"||2 max (luDci, (19) 

with Cl a bound on which is the peak- 

to-peak performance of the dynamical system formed 
by {A,B). In case that X^er 2 then the forward 
reachable iteration can be rewritten as 


eg = max(||vi||2) 


CxCp max(||u^||2) 

1 -I- ea;epmax(||uj||2)' 


(18) 


For the case that the model is parameterised in both 
S and D, i.e., {A, B,C{0), D{0)) the derivation is a bit 
more cumbersome but can be repeated with no change 
to the end result. □ 


k 

= ( U 
2=0 


The Hausdorff norm can be bounded as 

< e{k) + \\A>^+^ 2 SH i^ver, { 0 „}). 


Let us briefly discuss the conditions under which Lemma 
6 is applicable. The condition that 0^(77.) is not empty 
is raised to avoid the trivial case where 0^(77.) =0 ( 11 ) 
holds for all eg. The condition that 0^ (77.) is a polytope 
and hence bounded is necessary to obtain a bounded 
Hausdorff distance. This distance quantifies the differ¬ 
ence between two sets, and is a necessary step to bound 
the approximation error. The requirement that 0^(77) 
includes the origin is a sufficient condition and relates 
to well-posedness for bounded input sets including the 
origin. When considering invariance properties defined 
for 0 G Vver and for any polytope ILyer, the requirement 
that 0 „ G 0 j/>(‘) is necessary for 0 o^ to be non-empty: 
this can be intuitively illustrated by noting that under 
an assumption of asymptotic stability for A, for any 6 
and for u{-) = 0 the output y{t, 9) of the model in ( 6 ) 
converges to 0. Hence for a property to be satisfied un¬ 
der these conditions it should at least hold for the zero 
output, which is equivalent to demanding that it holds 
for 0 = 0„. For any atomic proposition pi G AP (see 
Equation (5)) it can be shown that there is an invert¬ 
ible mapping between the row vectors, proportional to 
the normals of the faces of the polyhedral set 0 p^ (x(0)), 
and the initial state x(0). Therefore, if 77*-*^ has the ori¬ 
gin in its interior, then 0 p. (77^^^) has to be bounded, 
and as a consequence so has any feasible set comprising 
this atomic proposition. This holds for fc > n if {A, B) is 
a reachable pair and if Vyer bas 0 in its interior. Under 
the same conditions there exists a k such that 77l*^ has 


Note that for p{A) < 1 the norm || 2 l ^||2 —>■ 0 for fc —>• oo. 
In case the conditions of Lemma 6 on 77^^^ C X and 

0^(77^^^ ) hold, the Hausdorff distance (©d*^, ©□,/,) 

can be bounded by 

||H ''||2 max(||vi||)^ep( max (luDci + ||H||5//(X^er, { 0 „})). 

i liGU 

( 20 ) 

Use in the verification of unbounded-time properties 

Based on the convergence properties of the feasible set, 
the asymptotic behaviour of the confidence computed in 
Proposition 1 can be stated. 

Corollary 7 (Convergence) Under the conditions 
of Lemma 6, for a Gaussian distribution p (9) ^ 
Af {pg,Rg) with a covariance Rg >- {9 & 

P (0 G ©D^) for k -A oo. 

Proof[of Corollary 7] For a strictly positive Rg^ the 
Gaussian density distribution takes finite values over 
the parameter space, therefore the convergence of a 
monotonically-decreasing polytope over the parameter 
space induces the convergence of the associated proba¬ 
bility measure. □ 

Theorem 3 can now be generalised to include unbounded¬ 
time invariance properties as follows. 
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Theorem 8 Consider a polytopic set of initial states 
x{0) € Xyer, inputs u{t) G Vyer foT t > 0, and a 
labelling map as in (5). Let TZ^ be a polytopic su¬ 
perset of the minimal robustly positively invariant set 
that includes 'Kver, denoted as then the feasi¬ 

ble set admits a polyhedral subset 0^ C 0^ for ev¬ 
ery specification if expressed within the LTL fragment 
if := alOV’IV’i f\if 2 \'^if, and if = TZ^^^^ then 

— 0 i/) • 

Proof Every property (f ::= p\C)ip\ipi A with 

p G AP can be rewritten as Oifi A if 2 where ifi and 1^2 
have syntax ip ::= p\Q)ip\ipi A ip 2 - 

For the set of initial states X„er > a property ip is invariant 

(M(0),x(O))NnV', Vx(0)GX„er 

if and only if Vx G TZ^^^^ : (M(0),x) 1= ip. Let TZ^^^^ be 
a polytopic superset of with a finite set of vertices 
vn S Vjz, then the subset approximation of the feasible 
set 0a^ follows as 0 d^ pp 0 d^ = 


vtzGVjz 

where 0d^ C 0o^. Note that if = TZx^^^ then 

0Di/> = 0Di/>- The feasible set of □V'l A ip 2 is equal to 
0 di/>iAi />2 = ©□V'l bl®V’ 2 -Aad 0 di/,^aj />2 can be upper and 
lower bounded as 0D^jn0^2 C 0 d^j^A)/'2 ^ ^®b 2 

with fc G N. This proves Theorem 8 for the case where 
the model is {A, B, C{9), 0). The additional parameter- 
isation of D does not change the reasoning. □ 

The extension beyond the LTL fragment discussed above 
may lead to feasible sets that are in general not convex 
and are therefore beyond the scope of this work. 

3.5 Case Study (cont.): Unbounded-Time Safety Ver¬ 
ification 

We study convergence properties for the safety speci¬ 
fication t considered in the case study in Section 3.3 
maintaining the same operating conditions as before for 
the safety verification and the experiment. In Figure 3a 
the forward reachability sets TZ^^'> with k = 1,...,20 
are obtained for the model dynamics in (8). Figure 4 
(upper plot) displays bounds e{k) on the Hausdorff dis¬ 
tances Sh(TZ^^\TZ°°) computed with (19): starting from 
a slanted line segment for TZ^^^ as in Figure 3a, it can be 
observed that the forward reachable sets converge 
rapidly, as confirmed with the error bound displayed in 
Figure 4 (upper plot). 


Based on TZ ^^^, the feasible set for the fc-bounded invari¬ 
ance can be computed as 0Qfct = 0t (7^^^^). The fea¬ 
sible sets 00^1 with fc = 1,..., 20 are plotted in Figure 
3b. Observe that the feasible set Oap is not bounded, 
but for fc > 2 the feasible sets are bounded and, as ex¬ 
pected, decrease in size with time. In Figure 4 (middle 
plot) bounds on the Hausdorff distances (0Dt, OafcJ 
are given for fc = 2 ,..., 20 (no finite bound is computed 
for the index fc = 1, since for that instance the feasi¬ 
ble set is not bounded). Let us conclude this case study 
looking at confidence quantification, as a function of the 
time horizon. Figure 4 (lower plot) represents the confi¬ 
dence over the property P (0 G 0Dfci | Z^‘), for indices 
fc = 1,..., 20. Unlike the case discussed in Section 3.3, 
which focused on looking at statistics of the confidence 
via mean and variance drawn over multiple experiments, 
we zoom in on asymptotic properties by considering a 
data set Z^‘ comprising a single trace made up of 200 
measurements, simulated under the same conditions as 
in Section 3.3, and with 9q = [1 0]^. From the result¬ 
ing probability density distribution p {9 \ Z^‘^^ it may 
be observed that the confidence converges rapidly to a 
nonzero value. 


3.6 Discussion on the Ceneralisation of the Results 


The discussed approach based on polytopes allows for 
analytical expressions of the feasible set, however the 
implementation may not scale to models with very large 
dimension: in particular, the number of half-planes char¬ 
acterising the feasible set may increase with the time 
bound of the LTL formula ip (that is, with the repeated 
application of the Q operator), and with the cardinal¬ 
ity of the atomic propositions in the alphabet E. Still, 
note that these computations are essentially quite sim¬ 
ilar to known reachability computations, therefore the 
method is extendable well beyond the 2-dimensional case 
study, especially when applying sophisticated reachabil- 



Xi 


(a) The first 20 iterations 
of the forward reachable set 
k = 1 ,..., 20 for the 
case study. The reachable sets 
grow in size from dark grey 
(fc = 1) to light grey (fc = 20), 
so that c TZV)^ 



(b) The feasible sets for 
the fc-bounded invariance 
property with fc = 

1 ,..., 20, obtained for the 
case study. 


Fig. 3. Reachable and feasible sets for unbounded-time ver¬ 
ification problem. 


II 









Fig. 4. (Upper plot) Error bound on the approximation 
level of the fc-th forward reachable sets, which is such 
that C + e(fc) for fc = 1,..., 20. (Middle plot) 

The Hausdorff distance eg{k) between ^^cl with 

k — 2, , 20, obtained for the case study.(Lower plot) Con¬ 
fidence that S N for k = 1,..., 20 for the case in Sec¬ 
tion 3.3, with a new experiment consisting of 200 samples 
collected as . 

ity analysis tools in the literature. Therefore the dis¬ 
cussed limitations related to the current implementation 
of the approach, ought to be dealt with in the future 
by the use of tailored and less naive computational ap¬ 
proaches. 

In the discussion of model selection, we hinted at possi¬ 
ble generalisation beyond linearly-parameterised model 
sets. Future extension will deal with hybrid models, since 
when systems are not linear, their (local) behaviour is 
often well approximated with piecewise-linear dynami¬ 
cal models. 

This paper has discussed the formal verification of physi¬ 
cal systems with partly unknown dynamics, by introduc¬ 
ing a Bayesian framework allowing for the efficient in¬ 
corporation of measurement data and prior information 
within a verification procedure based on safety analysis. 
This formal approach has allowed for the computation 
of the confidence level over the validity of a property of 
interest on the unknown system. The method has been 
applied to the verification of LTI models of systems over 
bounded and unbounded safety properties, and its com¬ 
putational overhead has been discussed at length. 

Looking forward, current work targets the extension of 
the applicability of tractable solutions to model-based 
and data-driven verification over complex physical sys¬ 
tems. We are presently working to extensions of the 
considered set of logic formulae of interest, and plan to 
employ experiment design to optimise the input-output 


signal interaction for efficient data usage over general 
classes of models, as initially attempted in [17]. Addi¬ 
tionally, the design of control policies that optimise prop¬ 
erties of interest over partly unknown systems is topic 
of current work. 
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Derivation of the Bounds in Section 3.4 

1. Hausdorff distance of forward reachable map¬ 
pings. We only sketch the method to bound the Haus¬ 
dorff distance, whereas a more formal derivation can be 
found in the literature on robustly positively invariant 
sets [7]. 

The fc-step forward reachable set equals 

:= U I E A^-^Bu{i - j), for u(j) G i • 
i=i [j=i J 

For 0 G Uver, the minimal invariant set TZ°° can be 
written as 

{ i—1 oo I 

A^Bu(j) + A'"Bu{k), for u(-) G U„er > 

i=o fe=o J 

(■ 1 ) 

If the spectral radius of a H is strictly smaller than 1, 
p{A) < 1, then 

V“) C + e{k)B, (.2) 

with 

OO 

A>=J2AWu{k) C e{k)B, for u{-) G U^er- 

i=0 

Note that e{k) is bounded for p{A) < 1. For a matrix 
A without defective eigenvalues, i.e. where the eigenvec¬ 
tors form a complete basis, this Li norm can be easily 
bounded using the spectral radius of A, by selecting 

^ \\A%pJ\AWh\uik)\ 

In case that the matrix A is defective, we opt to bound 
the Li-norm by exploiting absolute sum of the L 2 in¬ 
duced norm for i —>• 00: ||^*||2- Note that ||H*||2 

converges to 0 for f —>• 00 since p{A) < 1, therefore there 
exists a finite I such that ||H*||2 < 1 and we can upper 
bound the absolute sum as 

OO / Z —1 \ / CXD \ 

Eii^'ii2d 

i —0 / Vi2—0 / 
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1 


' Z-1 


= E 


^»i=0 


i-P'IU' 


Thus in general, the Hausdorff distance can be bounded 
as 


< e(fc) = WA'^y max (|w|)ci, 

uGVver 


(g- 




with Cl = — 'i_°\a‘\\ 2 —^Il'®ll2 ^ such that ||A*||2 < 
1. Note that ci can be replaced by any bound on the Li 
norm of the dynamical system formed by { A, B). 


In case that X^er 2 then the forward reachable 
iteration can be rewritten as 


for which we know that 

4 E C 4 E + <k) + Pf+i5ff(X„,,,{0}). 

Thus the Hausdorff norm is upper bounded as 

6Hin‘il^,n'£l) < e(fc) + ||H'=+i||5ff(x,e.,{0}). 


2. Hausdorff distance on feasible sets. Suppose 
that the conditions in Lemma 6 hold for TZ^'^ , then 
we can compute a value for eg such that — 

+ where Cx is a bound on the Haus¬ 
dorff distance d//’ ^£1) • 

The set operation 0^(-) is monotonically decreasing, 
therefore 0^(7^xtir ^^k)B) C 0q^ = 0^ (^x^er) — 

©b (^£L) = and C Q^{n^l^+e{k)B) + 

egB C ©Q^ -1- egB, and 


©□•0 C ©Qfc^ C ©n^ -|- tgB. 


\A I 

Based on Lemma 6, with Cp = maxp^ obtain 


e^epmax,(||Vi Ij" ^ ,,,2 

ee = —-FTTHTT ^ e^^ep max( ) . 

1-f e^^epmax^ Vi ) ^ ^ 


Note that since ||H*||2 converges to 0 for fc —>• oo for 
p(A) < 1, and since maxi(||i;i||)^ is not increasing, the 
error eg also converges to 0. 
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